Common Safety Method or Best Practice - A Practical ... · CSM-RA were voluntary until 1 July 2012...
Transcript of Common Safety Method or Best Practice - A Practical ... · CSM-RA were voluntary until 1 July 2012...
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
Common Safety Method or Best Practice - A Practical Implementation of
CSM-RA
Carsten Busch, Kjetil Gjønnes, Mona Tveraaen
Jernbaneverket
SUMMARY
What’s in it for us - that was the leading principle that Jernbaneverket followed when implementing the Common
Safety Method on Risk Evaluation and Assessment (CSM-RA). This paper, based on practical experiences,
describes how to benefit from the CSM-RA; by both making the best out of the smart elements in the process
described in the CSM-RA and by organizing internally. It also discusses challenges that have been experienced
with the application of the CSM-RA. This paper contains among others the following points:
The CSM-RA has added value instead of being an administrative burden.
Flexible application makes it useful for any project/change, not only for significant changes.
A practical, mainly qualitative approach has given a wider involvement and understanding outside the
exclusive circle of risk experts, and hence a better basis for informed management decisions and for
safety management.
Internally organized Independent Assessment Body can facilitate experience transfer and organisational
learning while maintaining independence.
A pool of multi-disciplined professionals helps to build and maintain competence.
So what was in it for us? If applied in a reasonable way the process may give better organisational learning, more
transparent and risk based decisions and – yet to be proven – the expected added value of a safety management
that goes beyond the decision point and truly ensures lifecycle safety.
INTRODUCTION
The Common Safety Method on Risk Evaluation and Assessment (CSM-RA) came into force between 2010 and
2012. The CSM-RA aims to harmonize the risk management processes used to assess the safety levels and the
compliance with safety requirements, the exchange of safety-relevant information between different actors within
the rail sector and the evidence resulting from the application of a risk management process.
Benchmarking among railway undertakings and infrastructure managers in various countries shows that the
CSM-RA has been implemented quite differently in various countries and companies. Additionally the CSM-RA is
seen by some rail safety professionals as complicated and as something that should be avoided rather than used,
if possible. In our experience the CSM-RA, if applied well, is beneficial for various aspects of safety management.
Following the discussions in various professional forums we get the impression that too much focus and effort is
put into two steps of the process in particular:
What is a significant change
– apparently aiming at avoiding the application of the process, and
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
Quantitative risk acceptance criteria
- possibly because it is believed to be more objective and easier to base a decision on.
In fact, these elements are among the less important ones to achieve a good safety management and hence
obtain a good level of safety. Instead:
All decisions should be risk based, but the level of scrutiny should be adjusted to the complexity of the
change. If applied reasonably the process supports educated decision making without excessive
bureaucracy. And;
Risk acceptance based on qualitative estimation and evaluation is often more robust, more transparent
and more transferable than quantitative based on multiple – more or less hidden – assumptions and
simplified models and excludes the understanding among the decision makers.
What should be emphasized is:
the identified hazards,
the identified possible risk reducing measures (and the individual link between each hazard and
measure),
the documented decision process on which measures should be implemented (Safety requirements),
the life time follow-up of the implemented measures – including experience feedback of the efficiency of
the measures (Hazard management).
This paper describes how to benefit from the CSM-RA; by both making the best out of the smart elements in the
process described in the CSM-RA and by organizing internally. It also discusses challenges that have been
experienced with the application of the CSM-RA.
THE CSM-RA - ORIGINS AND IMPLEMENTATION
Europe
The Common Safety Method on Risk Evaluation and Assessment (CSM-RA) as referred to in article 6(3)(a) of the
Railway Safety Directive was decided by the EU Commission and the Commission CSM Regulation on risk
assessment (352/2009) was published in the Official Journal of the European Union on 29 April 2009.
The aim of the CSM-RA is to harmonize:
the risk management processes used to assess the safety levels and the compliance with safety
requirements,
the exchange of safety-relevant information between different actors within the rail sector in order to
manage the safety across the different interfaces which may exist within the sector, and
the evidence resulting from the application of the risk management process.
The CSM-RA contains a number of steps in the risk management process1, including system definition, risk
analysis, selection of Risk Acceptance Principles, Risk Evaluation, the implementation and
verification/demonstration of safety requirement, hazard management and independent assessment of the risk
management process. This is illustrated in the figure below that is taken from the CSM-RA regulation.
1 One may remark that although referred to as a method the CSM-RA does not contain a risk assessment method as such,
but rather describes a process for the risk assessment and management.
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
Figure 1: The risk management process as pictured in the CSM-RA
Due to the relative novelty of some of the regulation’s elements for several member states it was decided to have
a gradual implementation and thus the CSM-RA has been implemented in two phases. The first phase took effect
19 July 2010 covering all significant changes affecting vehicles, and all significant changes concerning structural
sub-systems where required by Article 14(1) of Directive 2008/57/EC or by a TSI. All other applications of the
CSM-RA were voluntary until 1 July 2012 when the CSM-RA became mandatory for all significant changes,
including operational and organizational changes. This gradual implementation was chosen to give actors the
opportunity to learn and apply the new common approach and gain experience from it2.
The implementation of the CSM-RA was supported by a series of workshops organized by the ERA’s Safety Unit
in different European cities where actors were invited to discuss the CSM-RA and its application.
Implementation in Norwegian legislation
In Norway the CSM-RA was implemented by creating regulation “Forskrift om felles sikkerhetsmetode for
risikovurderinger” (FOR-2010-03-12-401) which came into force per 12 March 2010. This national regulation
directly implemented the integral CSM-RA regulation through an unofficial translation as well as by pointing to the
official version in English language.
2 At least this has been the intention. The question is how many companies actually have tried to gain experience with the
CSM-RA before it became mandatory.
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
Unlike other countries the principles of the CSM-RA were not entirely new for Norwegian railways. The national
regulation sikkerhetsforskriften3, which is the Norwegian implementation of the EU Railway Safety Directive
(2004/49/EC)4, required that the National Safety Authority (NSA)/Railway Inspectorate (SJT) were notified of
changes in the infrastructure. The NSA/SJT was then to decide if an application to ask for permission to take the
new/changed infrastructure in service was required. Exceptions from the notification regime were maintenance
work and 1:1-replacements where elements were replaced by (near) identical elements or elements with an
identical function. While this regime has a different background than the CSM-RA, it did already ensure that any
change in the infrastructure had a risk assessment before implementation of the change and it hints at a basic
assessment of significance.
Also the different risk acceptance principles as described in the CSM-RA were not entirely new as they had been
used in a similar way to check out risk acceptance criteria.
Safety management in Jernbaneverket
For many years Jernbaneverket has had a management system of which safety management is an integral part.
The Safety Management System specifies a method/process for risk assessments and has a number of tools
available for the execution and documentation of risk assessments. Jernbaneverket also created a special
archive, or digital library, for risk assessments to facilitate documentation and access to them, follow-up of
hazards and preconditions and experience transfer between projects and locations.
The Safety Management System also contains risk acceptance criteria for Societal Risk and Individual Risk for
various target groups and descriptions (principles) how to meet these risk acceptance criteria, for example by
explicit estimation or by referring to a standard system. In fact it must be noted that early drafts of the CSM-RA
were in part the basis and inspiration for the internal management system processes and documents, several
years before the actual CSM-RA regulation was decided.
Jernbaneverket has an extensive professional organization to support management and employees in their
responsibilities with regard to safety management. The units that are responsible for operational tasks like traffic
control, construction of new infrastructure or maintenance and improvement of existing infrastructure have their
own safety professionals to support line management in their safety tasks, like doing risk assessments. Most
project managers and line managers on a certain level have dedicated safety professionals to support them.
There are a total of some 120 safety professionals, including hired consultants (mostly for construction projects).
The central safety staff is responsible for methods and tools on a system level as well for the maintenance of the
internal professional network for competence building and experience transfer.
As a general rule any change in the organization or infrastructure is subject to a form of risk assessment.
Changes in the infrastructure were under a notification regime as described above. Notifications and applications
for permission to take new or changed infrastructure in operation were always to be sent to the NSA/SJT
including relevant risk assessments. Later also organizational and operational changes were subject to formal risk
assessments.
Initially there was a variable quality of risk assessments. Also differences in the understanding of the roles of
quality assurance and approval of risk assessments were identified. What did signatures on the document’s front
page actually mean? Who owned and approved the document? What implies a quality check?
To guarantee and improve the quality of risk assessments a peer review regime for risk assessments was
implemented around late 2006. This peer review regime for risk assessments works as follows:
3 In the meantime replaced by a.o. the sikkerhetsstyringsforskriften
4 Which in turn of course originally for a large part has been modeled on Norwegian safety regulations.
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
Before a risk assessment can be approved by the responsible manager, it has to be peer reviewed by a
qualified reviewer.
The reviewers have to fulfill a number of requirements:
o They have to be independent from the project (i.e. not actively involved in any activities directly
related to the project).
o They must have solid experience in doing/leading risk assessments in Jernbaneverket.
o They must have participated in a one day workshop in order to gain understanding of the quality
requirements for risk assessments and tools (as specified in a checklist in the safety
management system).
o They must keep this qualification up to date by taking part in two yearly refresher workshops.
The peer review is performed according to the criteria in the checklist. Eventual shortcomings are
corrected and, if necessary, the risk assessment is peer reviewed once more before it is sent for formal
approval.
Looking back the Jernbaneverket’s regime of peer review and quality assurance have led to a higher level of
quality of risk assessments, a better documentation of hazards and risks, a more uniform application of risk
acceptance criteria and risk assessment methods and an increased application of risk assessments as a naturally
used tool in case of changes - large and small, technical, operational and organizational.
Implementation of the CSM-RA in Jernbaneverket
Some rail safety professionals perceive the CSM-RA as something that should be avoided rather than used,
which is evidenced by a certain reluctance to classify a change as significant and applying a rather “high
threshold” for the significance. Partly this may be due to the regulation being new, triggering a certain aversion to
change existing practices. Also European regulations are often perceived as complicated.
It is also seen that some - for various reasons - want to maintain a complicated approach to the CSM-RA. One
real-life example that has been observed recently is at one on-going modestly sized project where a consultant
has spent a disproportional amount of time on the work as an Independent Assessment Body (IAB).
There is a fear that applying the CSM-RA triggers a lot of additional work, it is seen as something that is of little
additional value to oneself, but rather something that has to be done for the inspectorate as part of a notification
or request for approval to take infrastructure into service. This perception is untrue because nearly all elements
from the CSM-RA are ordinary steps in a project. Only the significance assessment and the eventual work of the
IAB are exceptions to this statement.
The aim of the implementation of the CSM-RA in Jernbaneverket was contrary to these popular beliefs.
Jernbaneverket’s aim was to benefit from the regulation by making the best out of the smart elements in the
process described in the CSM-RA by adopting a pragmatic and practical approach and especially by organizing
all elements internally. Also some attention was given to ‘demystify’ the regulation’s aim and contents. This
means that primarily the stakeholder was to define the standard of how the CSM-RA was to be implemented on
Norwegian rail infrastructure, instead of leaving the definition of the standard to consultants as has happened on
many other occasions before.
As discussed above many elements/requirements were already implemented in Jernbaneverket’s Safety
Management System. The result was that the principles of the CSM-RA with regard to risk assessment and
hazard management had been implemented such that it applied in a flexible way to any change, regardless size
or significance. When the CSM-RA was introduced in Norwegian regulations in 2010 (with full application from
2012 on), further implementation of the CSM-RA required mainly the formalization of a method for the
Independent Assessment Body within Jernbaneverket.
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
Because most elements already were implemented in the Safety Management System it was briefly considered to
apply the CSM-RA for every project. After all there was only a minimal gap between the daily practice and the
requirements in the regulation. For instance the peer review regime for risk assessments could be considered
being an “IAB light”
Eventually it was decided not to apply CSM-RA for every project in order to not put an additional administrative
burden (specifically of writing a formal Safety Assessment Report by the IAB) on all projects, including the many
small projects where a formal Safety Assessment Report would have little added value, not more than a peer-
reviewed risk assessment.
In a way, however, the implementation of the CSM-RA in Jernbaneverket’s Safety Management System has led
to a flexible application for any project/change instead of only being a tool only for “significant” changes. The
pragmatic and practical oriented approach clarifies the added value (in contrast to perceived administrative
burden) which leads to greater ownership of the process and increased use of the process.
Part of Jernbaneverket’s flexible implementation process was that instead of starting with a complete package the
missing tools (e.g. how to write the report) were developed as the implementation went along in a kind of trial and
error/tinkering process. For example, it was chosen to work with temporary status reports that were discussed
during regular meetings between the IAB and representatives from the projects. Based on feedback and
experiences the template for the report was altered and adapted to have mutual benefit from the document so
that it allowed for documenting the IAB’s verdict about the Risk Management process as well as tracking actions
and the work done by the IAB.
Benchmark
To support the implementation within Jernbaneverket an international benchmark was conducted among other
railway companies to get an impression of best practices of the implementation of the CSM-RA.
In late 2013 a questionnaire was sent out by Jernbaneverket among members of the International Rail Safety
Network (ISRN, a sub-group of the UIC Safety Platform). Out of ca. 15 European IRSN members, 9
(infrastructure managers or railway undertaking, or both) replied to the questionnaire. All have experience with the
regulation.
Conclusions from the benchmark (details cannot be given for reasons of confidentiality):
All respondents had implemented the CSM-RA as part of their safety management system.
As basis for the significance assessment all respondents used the six criteria from the regulation, some
had defined additional criteria.
«Lower» limits for the significance assessment have not been mentioned. Most appear to apply the
assessment regardless the «size» of the change, some even express this explicitly.
Most respondents used both internal and external assessment bodies, one respondent outsourced
everything and another uses only internal assessment bodies.
Those who had established internal assessment bodies had widely different organizations of the IAB,
some relying on an ad-hoc organization while others had more, or fully structured organizations.
The process for participation of the IAB in projects also varied widely. Respondents who outsourced all or
most of the IAB’s work came rather late into processes (typically shortly before the end of a project) while
those with a preference for internal assessment bodies also prefer involvement in projects as early as
possible.
There is no unified form of the Safety Assessment Report, although most members referred to the
regulation for specifications of the contents.
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
This benchmark among railway undertakings and infrastructure managers in various countries shows that the
CSM-RA has been implemented quite differently in various countries and companies.
Internal organization of the IAB in Jernbaneverket
It was chosen to establish an internal pool of qualified experts from various backgrounds and departments who
could take on the role of IAB for projects which required so instead of outsourcing this function. Advantages and
background for the way chosen include the desire to retain knowledge within the organization, to improve
experience transfer (both between projects and between IAB) and contribute to organizational learning.
A Steering Group was established in late 2012 to manage the implementation and improvement of the IAB
function within the company. This Steering Group was chaired by the Safety Manager from the Central Safety
Department with participation of senior safety professionals from all divisions. This broad involvement helped to
ensure independence of the IABs (offering the opportunity to cross-use IABs from one division for projects of
another division) and secured involvement across the entire company.
To man the internal IAB function a pool of qualified assessors was established in spring 2013. Whether internal
advisors were qualified to take part in this pool was to be decided by members of the Steering Group, based on
competence («senior» safety/quality/RAMS personnel and qualified for the peer review for risk assessment) and
independence from the project.
It was chosen not to establish a full-time IAB department, but to draw on professionals who as part of their
ordinary job (e.g. as Safety Advisor) could be appointed as IAB for certain projects. Expected advantages of this
approach were that professionals with fresh hands-on experience in doing risk assessments and other elements
of risk management could use their knowledge while doing an independent assessment of another project, and at
the same time gain experiences that could improve their ordinary job. Independence from projects was not
guaranteed by having IABs in an absolutely independent department, but rather by relying on relative
independence (e.g. a safety professional from the Traffic division acting as IAB at a Construction project).
Projects applied for support by and IAB at the Steering Group and the IABs were then assigned to projects by the
Steering Group. At first the IAB pool started with a limited number of personnel, as more demand for this support
arose, the pool was enlarged and new members in the pool teamed up with more experienced IABs.
So far around 15 large projects, including the implementation of ERTMS on a track in the greater Oslo area, the
Follobanen (a project that will establish 19 km of double track tunnel between Ski and Oslo) and Holm-Nykirke (a
project on the west side of the Oslofjord that will deliver 14 km of double track with an in-tunnel station).
Initially Jernbaneverket hired some experienced and highly qualified consultants for one or two projects and
involved them in the feedback meetings for IAB’s in order to get outside-input in building methods, processes and
tools.
The process of the IAB can be described with the flowchart below: after a project has signalled its need for an IAB
and these are appointed the work starts with a Kick-off meeting where IAB and the project clarify working
methods, expectations, schedule and milestones. Subjects to discuss in the kick-off meeting are a.o. the scope of
the project (and thus the IAB’s work) and its organization, the process for the IAB, points of contact and the
(access) to documentation. After an initial review of relevant documentation the IAB will come with a plan of the
independent assessment which includes a number of meetings and further documents to review or people to
interview. In the course of time the activities from the assessment plan will be executed and documented by the
IAB in a temporary Assessment Report. This contains an overview of meetings and subjects discussed, as well
as a log of findings/observations and how the project decides to follow-up on these. This will see several
iterations. A final Assessment Report is delivered by the IAB after the project is finished.
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
This final point is significant. Many projects don’t realise that the IAB’s tasks continues until after the handover of
a project to operations because not all hazards can be managed in the project; some hazards are transferred to
the operations phase.
Figure 2: Flowchart describing the process for the IAB within Jernbaneverket
APPROACH AND EXPERIENCES
After almost a year of working with the IAB internally organized within Jernbaneverket, serving approximately 15
major infrastructure projects, and ample experience with other elements of the CSM-RA we now can share
experiences and challenges that Jernbaneverket has come across and provide practical approaches for the
application of the CSM-RA.
In retrospect one can conclude that the implementation of the CSM-RA in Jernbaneverket’s Safety Management
System went relatively easy. This was in part thanks to the ‘head start’ as described before: having the
opportunity to implement gradually helps. Another factor that contributed to the implementation was the flexible
process that was applied. Some elements, like the significance assessment, were first applied in practice, and
then incorporated into the Safety Management System. This approach secured that the Management System
describes the best practice that is followed instead of a theoretical approach that is hard to use in practice.
Significance assessment
Implementation of the Significance Assessment happened in two different forms within Jernbaneverket, and this
was one of the elements of the CSM-RA that was first used in practice and only afterwards incorporated into the
Safety Management System. Reason for this was that the Significance Assessment has been coupled to the
notification of infrastructure changes to the NSA/SJT.
Delivery of documentation
from project
Projectplan/System definition/etc.
Kick-off meeting Assessment planActivities according to assessment plan
Assessment report
Assessment reportRAMS-plan/Safetyplan
Define scope, boundaries and presumptions
Review activities connected to safety
in the projecty
Minutes of meeting Assessment plan
Review hazard log/-register
Review risk assessments and
follow-up
Review safety organisation in
project
Temporary Assessment report
Log of observations and follow-up
Review other documentation
Status and info meetings
Status report or Minutes of meeting
Discuss findings and observations done
during the assessment
Clarify questions and further
activities
Temporary Assessment report
Review steering and management of
safety in the project
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
The first form was a detailed template where each sub-system of the infrastructure was assessed separately on
the six criteria as specified in the CSM-RA after which a general conclusion was drawn. The second form was the
one practiced for smaller projects where the six criteria for significance from the CSM-RA were discussed as part
of the notification that was sent to the NSA.
While none of the two forms is necessarily better than the other, we have seen instances where the Significance
Assessment has led to a disproportional use of time, while it should have been an easy obvious decision due to
the project’s nature, and even more because the signalling system was a part of the TSI-CCS5 which requires use
of the CSM-RA.
Another problem that has been observed is that sub-projects, or newly added parts to a project, were subject to
an additional (unnecessary) Significance Assessment while the project as a whole already has been assessed of
having to follow the CSM-RA.
Experience also teaches that good guidance on the criteria for significance is needed. For example:
what does “failure consequence” mean (e.g. only consequences related to the actual change should be
included),
how to handle “reversibility” (blowing up part of a mountain to build a track indeed is not reversible, but
not the issue here),
complexity and a combination of various disciplines in one project is not necessarily the same.
The Significance Assessment in itself should be a relative simple process which can be done in a structured way
with minimum effort.
Process of risk assessment
As described before Jernbaneverket’s Safety Management System already followed largely the process that is
described in the CSM-RA. Over a period of about seven years several elements have turned out to be beneficial
for projects and safety management:
instead of an “one-size-fits-all” approach that may be too bureaucratic for smaller projects, adjustment of
the risk assessment to the complexity of the change or project makes it fit for purpose and useful,
the approach can be used for technical, organizational or operational changes without any problems,
the peer review regime has led secured quality of risk assessments and over the course of years also to
a higher level of risk assessments in general,
the creation of a centralized digital risk assessment archive facilitates sharing of information, experience
transfer and re-use of previously done work in similar cases,
the creation of a digital tool, called strekningsanalyse, that connects various databases, among which a
risk model, the asset management database, the train plan, the risk assessment archive and the incident
reporting and handling system. This allows for even greater access of good data which enables
management and safety professionals to perform their tasks more efficiently and have better control.
5 Technical specification for interoperability relating to the control-command and signalling subsystems of the trans-
European rail system.
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
Figure 3: Screenshot of the Strekningsanalyse tool
As said before, the Safety Assessment Report is perceived by some as something that is done for the NSA (since
it shall be sent to the NSA as part of the application for permission to take infrastructure into use), but the report is
actually meant for the benefit of the project to strengthen and document the project’s risk management. This view
is clearly shared by the NSA/SJT.
Use of Risk Acceptance Principles
The risk management process includes three alternative principles:
Code of Practice (CoP): the acceptability is proven by the establishment of the code.
Similar reference system: acceptability based on “proven in use”.
Explicit risk estimation - how to document.
The alternative principles are applied to each identified hazard (not the whole system). For most systems, a
combination of the three will be applicable. Most changes will consist entirely of standard elements (CoP or
Reference system). But at the same time, all changes will require some explicit risk estimation, since the use of a
combination and interaction of standard elements will (almost) always involve interfaces, operation, external
factors, that are unique and sometimes novel.
As mentioned earlier, there seems to be an excessive focus on quantitative risk estimation and risk acceptance
rather than qualitative. It may be in the interest of certain disciplines to keep the methodology complex in this way
and hence suitable for outsourcing. It may also be an understanding of qualitative assessments as more neutral,
more binding, more transferable and less subject to manipulation. We would argue that the opposite is more
likely.
Even if a quantitative approach resembles a mathematical proof, it hides a number of necessary assumptions,
limitations and simplifications. Whereas a qualitative approach that focuses on hazards, scenarios and practical
barriers and other risk reducing measures is more transparent and less subject to difference in opinion. This
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
approach also allows for a better understanding among non-specialists in risk assessment, e.g. the actual
decision maker. Not only will this lead to informed decisions; a better understanding and involvement among
other professions will ensure a more qualified vigilance, maintenance etc. by various staff.
A qualitative estimation is also better for identifying non-technical risk such as interfaces and operations. As more
risk is controlled by technical measures, this will be an increasing share of the risk. The CSM-RA applies also to
operational and organizational changes. For these, a qualitative approach seems to be the only one feasible.
Risk acceptance criteria has traditionally been misunderstood as something quantitative - the different risk
acceptance principles as mentioned in the CSM-RA has added greatly to the understanding that risk acceptance
criteria also can be qualitative, for example ‘standard system’ or qualitative estimation to evaluate acceptable risk.
Hazard management
Hazard Management has been the most challenging element of CSM – or any process of risk management - and
the topic of which the organization have the most to gain. As of now hazard management is constrained by the
lack of a customized (digital) tool. Identified hazards are followed up through various types of hazard logs and -
registers, many using excel files which have several limitations. An obvious disadvantage is that it is difficult to get
an overview of the various hazards across projects and throughout the project lifecycle. The aims of implementing
hazard management into the Strekningsanalyse tool are to:
enable easier and more dynamic transfer of hazards and follow-up between the various project phases
and operations,
enable comparisons of effects of safety measures across different projects,
provide track managers with the overview of measures and preconditions related to the infrastructure
they are responsible for,
provide better traceability.
CSM requires all hazards to be included in the hazard log. This has proven to give large, unmanageable lists
where the key hazards disappear among the vast amount of hazards.
The Strekningsanalyse risk tool combines various safety related information linked to a location. This includes
Technical barriers, estimated risk, incident and accidents (statistics and individually described). In the future it will
also include safety requirements and preconditions put down in risk assessments. This will allow for a
manageable Hazard management in a life cycle perspective, accumulated for the whole network.
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
Figure 4: Sample from Strekningsanalyse showing a level crossing with details on technical protection, risk,
incidents and accidents, etc.
One clear benefit of the application of the CSM-RA and activities of an IAB in a project is that it strengthens the
follow-up of preconditions and eventual changes to the project. A well-applied IAB can therefore be an important
element in the management of change, even though the role of IAB never was meant to be that in the first place.
Organizational learning
One main reason for the chosen path for implementation was to have a maximum potential for organizational
learning, something which could only be done through the use of internal personnel taking the role of the
Independent assessment body (IAB). By outsourcing the task of the IAB a lower ownership of the process was to
be expected and also the knowledge and experience transfer would for the greater part happen outside of the
organisation.
There have been regular feedback meetings (roughly every other month) for both the steering group and the
professionals that participated in the IAB pool. In these meetings the status for each project was reviewed, issues
that had risen during the work with the projects or the documentation were discussed, new developments were
reviewed and several meetings concentrated on the in-depth study of one case in order to find out best practices.
For these feedback meetings also external IABs were invited.
Also the way the Safety Assessment Report was designed was to benefit of continuous improvement and
organizational learning as described above.
Besides the organizational learning within the pool of safety professionals involved in the CSM-RA (and especially
the IAB) there was also organizational learning for the projects. The internal IAB had the possibility to
communicate what worked and what didn’t, thus facilitating experience transfer from one project to another.
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
Finally having an internal IAB function within the company enables direct feedback about safety management
system procedures and routines from projects to Safety and Quality professionals in central positions. This has
for example led to revision of some Safety Management System documents/templates, an internal discussion
about quantitative analyses and clarifications about how to handle external assessment reports by the project.
Independence and the role of IAB
Since Jernbaneverket chose to primarily use internal Safety and Quality advisors in the role of IAB, one issue that
arose was how to deal with having various roles at the same time. Because the people acting as IAB are highly
competent and knowledgeable internal Safety and Quality advisors it was very tempting to get into an
advising/guiding role during the process. For example when there were questions about how to apply risk
assessment methods or how to handle the hazard log. There is a thin line between advising and losing one’s
independence.
The mentioned advising role does, of course, have benefits and especially when it’s early in a project it can be
relatively unproblematic to “switch hats” during a meeting, from IAB to Safety advisor and back. This facilitates
that one project learns from the others which in the end will help to have a safer and more efficient way of
working.
The IAB and NoBo
One issue that had to be cleared early on in the implementation of a routine for IAB within Jernbaneverket was
the involvement of a Notified Body (NoBo). In article 7 (3) in regulation 352/2009 it says that:
“In the case referred to in point (b) of Article 5(1), the independent assessment shall be part of the task of the
notified body, unless otherwise prescribed by the TSI.”
It was our concern that the TSI would overrule our choice of how to perform the task of IAB. We assumed that the
intention of the article was to avoid unnecessary cost and formalities with two external organs in a project.
Another point of concern was that this opened for one IAB for sub-systems where this is prescribed by a TSI and
one or more IABs for other sub-systems. In our view this would conflict with the basic philosophy that the IAB
shall ensure that the whole of the safety management in a project is covered, not just a collection of parts.
Jernbaneverket felt that the use of an internal IAB that is independent of the project gave a better opportunity for
learning and improvement between projects as well as it provides a better total view than if this was outsourced to
a couple of different consultants, or NoBos. For this reason the question about the demarcation line between the
tasks of NoBo and IAB was checked with both the ERA and the NSA.
The NSA acknowledged the added value of an internal IAB. The NSA was of the opinion that the regulation
clearly stipulates that the independent assessment in cases where the application of the CSM-RA was made
mandatory through a TSI the role of IAB shall be part of the tasks of the NoBo. In that respect Jernbaneverket’s
concern that article 7(3) would overrule its choice of IAB was real and something that Jernbaneverket had to
accept and manage.
However, the NSA was of the opinion that even if the independent assessment was part of the task of the NoBo,
it would still be possible to arrange this such that the task could be performed by Jernbaneverket’s internal IAB. A
NoBo has the possibility to outsource part of his tasks to others and this gives Jernbaneverket the opportunity to
contractual oblige NoBos that the independent assessment will be done by Jernbaneverket’s internal IAB whose
report is then cross accepted by the NoBo.
This explanation of the regulation was supported by the answer from ERA.
CONCLUSION
Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen
This paper started with the question: “CSM-RA, What’s in it for us”. Looking back on experiences from and after
the implementation one can conclude that if applied in a reasonable way the process described in the CSM-RA
may give better organisational learning, more transparent and risk based decisions and – yet to be proven – the
expected added value of a safety management that goes beyond the decision point and truly ensures lifecycle
safety.